Re: Snot attacks and -z est option - regarding FAQ 1.9

[counter.spy () gmx de]

Hi Chris,

> > Another question:
> > I have performed some testing with snot-0.92a attacks against snort
during
> > the last few weeks.
> >
> > The FAQ claims that snort is not vulnerable to such attacks, but I have
> > found some problems with snort during these tests. Some of them are fixed
with
> > the 1.8.4 release but some are not.

> What other problems besides your next one?

Those Short Header Problems that caused 1.8.4-beta4 to crash and which you
have already fixed, remember?  ;)

> > One of the problems that I think I also have read about on this list is
the
> > following:
> > Snot uses random IP Numbers. Running Snot against a snorted machine over
a
> > longer period of time (I ran it overnight) without delays caused the
system to
> > reach it's limits for creating new files. This in return caused snort to
> > terminate. 

> what logging mode? 

mySQL and default logging to /var/log/snort/

> Sounds like default which is so often misconfigured

Yep, we already discussed that. :)

> I'm wholely tempted to axe it out of snort forever.  

Good idea. I don't like the fashion of snort's default logging anyway, for
exactly this reason.
Well, I remember you telling me that in one of your replies to my mail where
I addressed this problem. But I hadn't "-z established" enabled at this
time.

> >  Of course in a productive environment you will have reacted long
> > before this happens, because such attacks are very noisy and
> > unlikely to happen.  But it could be used in order to hide the real
> > attack within all the noise that snot generates, so some correlation
> > is needed in order to eliminate those "false positives".
> > Another issue is that I tried to reduce the alerts that were caused by
snot
> > by using the
> > -z est option. That idea was based on my assumption that snot causes many
> > fake connections, i.e. no real connections are established. This did not
help,
> > I still got most of the alerts.

> Was stream4 enabled? What was your snort output?  Were the alerts ICMP
> and UDP?  Those don't have sessions that could be established.  

I was using part of sandro's settings from "Snort-Setup for Statistics
HOWTO":
preprocessor frag2
preprocessor stream4: detect_scans detect_state_problems
preprocessor stream4_reassemble: ports all
preprocessor unidecode: 80 8080 3128
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: 0.0.0.0/0 6 3 /var/log/snort/portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS

> -z est makes it "harder" because they actually have to get an
> established stream.

As you possibly know, I am testing several IDSs just as part of my thesis
and thus focus on very basic testing. My aim is to develop a concept on which
technologies to use and how to deploy IDS within our corporate network. My
time is very limited (3 months).
I must admit, that I already have finished tests with snort and that the "-z
established" was just a quick last check in order to see if it reduces
alerts that were generated by snot.
For this reason I ran snot with 100 packets for each test, using only 10
rules that were mixed TCP and UDP - 3 tests with and 3 without the "-z
established" option. 
I didn't check each alert in detail, just the number of alerts, and I found
this didn't vary much.

> > Of course the attacked system still had the possibility of resolving
> > the correct source IP through ARP, because attacker and target are
> > in the same network and so the target still gets the original MAC
> > address and is able to reply to the snotmachine.

> arp who-was? :-)  Generating alerts isn't restricted to that and you
> could do DDOS zombies with bind.version queries and generate just as
> many alerts and they would be valid.
> -- 

So do agree with me that snot can be used for kind of DOSing snort, or at
least the poor analyst who has to check all those alerts?

> Chris Green <cmg () snort org>
> "I'm beginning to think that my router may be confused."

Thanks for your input. Sorry that I didn't have the time to go into more
detailed analysis.
Maybe I will do a proper test on this later, if I still have the time in the
end.

Greetings,
D. Liesen

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users